Database Reference
In-Depth Information
More on search
We did a simple search at the end of the previous chapter. Before going on to other com-
mands, however, let's examine how we can do other types of searches. There are several
rules to be aware of when doing searches:
1. Searches are not generally case sensitive. Hence, for instance, to require the exact
case of each variation of the word term, enclose it in CASE(term), CASE(Term),
or CASE(TERM).
2. There is an implied
AND
when you use the search command (or the implied search
command at the start of each entry in the search bar). For example, when you put
log error
in the search bar, you will only see events listed that have both
log
AND error
in them.
3. If you want to search for an exact phrase, you need to put it in quotes. Inserting
log error
in the search bar (for example) will yield events with that exact
phrase. The term events with log errors will not appear. Remember these points
when designing searches:
◦ If you want to search only a specific field, you need to specify that field.
Otherwise, you will be searching all fields. Since you are not always aware
of what can appear in other fields, the results can sometimes be surprising
if you do not specify the fields you want to search. So, if you want to
search the text field for the terms
log
or
error
specify:
text=*log* OR text=*error*
◦ Note that the wildcard asterisks signal the search to bring in every event
where the strings above appear, including incidences such as bad error or
login. If you only want to search for
log
and
error
as separate words,
then leave out the asterisks.
4. If you only want to consider events where the text field includes both
log AND
error
, do the following:
text=*log* text=*error*
5. The Boolean operators that Splunk supports, that is,
AND
,
OR
, and
NOT
, must be
capitalized.
